22.12.16

OurMine hijacks Netflix’s US Twitter account


Netflix has become the latest big name brand to have one of its social media accounts hijacked by OurMine.
The hacking collective was briefly able to take over Netflix’s US Twitter account yesterday (December 21st), posting numerous tweets that were indicative of its signature style.
This included: “Hey, it’s OurMine, Don’t worry we are just testing your security, contact us to tell you more about that…”
There was some initial confusion about whether Netflix, which describes itself as the world’s leading internet television network, had regained full control over its account.
However, this has since been resolved. At the time of writing, no further details have been made as to how OurMine was able to gain access.
OurMine has built of a reputation of compromising high-profile individuals and organizations.
This includes Facebook’s CEO, Mark Zuckerberg, whose Twitter, LinkedIn and Pinterest accounts were hijacked in June.
It was revealed at the time that his password for all three accounts were the same. It was “dadada”.
Other victims include Variety, which had its content management system compromised in September.
Reporting on the incident at the time, the print and online publisher said: “In contrast to many other hackers, OurMine doesn’t typically attempt to shut down websites or abscond with data.
“The anonymous group positions itself as cybersecurity outfit that raises awareness for its services by hacking into prominent people and brands.”


21.12.16

Year-end cybercrime update 2016: an avalanche of good news?


Cybersecurity can at times be a strange career, one in which good news is sometimes defined as no news, as in: Hooray! We haven’t been hacked today! And some of cybersecurity’s good news is bad news for other people, for example: “Teen behind Titanium DDoS Stresser pleads guilty in London”. Yet even some of this good news is hard to enjoy. I would not use “happy” to describe my reaction to that headline; more like “sad” because a young man made some bad choices and recovering from the consequences of those choices will be difficult for him.
Then again, you can also say that one less bad actor active in cyberspace is always good news for all those who spend their time defending information systems. So, at this time of the year, when word of good tidings is either on our minds, or on the radio, or both, I decided to highlight some wins for the good people who are working to keep the bad people in check.
Below you will find 20 success stories in the struggle against cybercrime. They range from indictments to arrests, extraditions to sentencing. These reports are not placed in any particular order or ranking and I have probably missed some cases. I made the URLs explicit so you can see the range of publications now covering these events, and I decided not to comment on each case individually in order to stress their cumulative impact. Taken together they demonstrate the extent to which cybercrime has become a part of modern life and, in turn, an increase in resources devoted to deterring it.
Looking at this list I get the sense that law enforcement efforts in cyberspace bore more fruit in 2016 than in any other year, and that is good news. Here’s hoping for an even better year in 2017!
1.     Hacker Gets 4 Years in Prison for Selling Stolen Bank Accounts on the Dark Web – https://www.bleepingcomputer.com/news/security/hacker-gets-4-years-in-prison-for-selling-stolen-bank-accounts-on-the-dark-web/
2.     Russian Hacker Suspected in Massive LinkedIn Breach Arrested Overseas – http://abcnews.go.com/US/russian-hacker-suspected-massive-linkedin-breach-arrested-overseas/story?id=42912836
3.     Joint Cyber Operation Takes Down Avalanche Criminal Network Servers Enabled Nefarious Activity Worldwide – https://www.fbi.gov/news/stories/joint-cyber-operation-takes-down-avalanche-criminal-network
4.     Feds Accuse Two 19-Year-Olds Of Hacking For Lizard Squad and PoodleCorp – http://motherboard.vice.com/read/feds-accuse-two-19-year-olds-of-hacking-for-lizard-squad-and-poodlecorp
5.     2 Israelis arrested for major hacking operation after FBI tip-off – http://www.timesofisrael.com/2-israelis-arrested-for-major-hacking-operation-after-fbi-tip-off/
6.     The hacker behind world’s largest-ever bank hack arrested in Russia – http://www.techworm.net/2016/10/hacker-behind-worlds-largest-ever-bank-hack-arrested-russia.html
7.     North Carolina men arrested, charged with hacking senior U.S. officials (Crackas with Attitude) – http://www.cbsnews.com/news/north-carolina-men-arrested-charged-hacking-senior-us-officials/
8.     Teen Behind Titanium DDoS Stresser Pleads Guilty in London: used to launch over 1.7 million DDoS attacks – http://news.softpedia.com/news/teen-behind-titanium-ddos-stresser-pleads-guilty-in-london-509811.shtml
9.     Global authorities arrest 34 in DDoS bust; suspects mostly teenagers – https://www.scmagazine.com/global-authorities-arrest-34-in-ddos-bust-suspects-mostly-teenagers/article/578671/
10.   Police arrested a hacker who allegedly triggered a DDoS attack on the 911 emergency call system – http://www.theverge.com/2016/10/30/13471128/meetkumar-hiteshbhai-desai-arrest-911-exploit
11.   Accused Pippa Middleton hacker arrested by London police – http://www.today.com/video/accused-pippa-middleton-hacker-arrested-by-london-police-772772931547
12.   NSA contractor arrested in hacking plot – http://nypost.com/2016/10/05/nsa-contractor-arrested-in-hacking-plot/
13.   Kennesaw State Student Arrested for Hacking School Computer: Faces up to 15 years in jail – http://www.teenvogue.com/story/kennesaw-state-student-arrested-for-hacking-school-computer
14.   Three men arrested in connection with mobile handset upgrade fraud enabled by unauthorised access to customer data – http://www.computerweekly.com/news/450403170/Hackers-arrested-in-Three-mobile-upgrade-scam
15.   Florida Computer Programmer Arrested For Hacking Linux Kernel Organization and the Linux Foundation – https://www.justice.gov/usao-ndca/pr/florida-computer-programmer-arrested-hacking
16.   FBI Arrests Customer of Xtreme Stresser DDoS-for-Hire Service – https://www.bleepingcomputer.com/news/security/fbi-arrests-customer-of-xtreme-stresser-ddos-for-hire-service/
18.   Suspected JP Morgan hacker arrested after returning from Moscow – http://www.cbsnews.com/news/joshua-samuel-aaron-suspected-jp-morgan-hacker-arrested-after-returning-from-moscow/
20.   British booter bandit walks free after pleading guilty to malware sales – http://www.theregister.co.uk/2016/04/11/grant_manser_sold_50k_in_stressers_sidesteps_slammer/
Notes on cybercrime and “the cyber”
The US will inaugurate a new president in January amid an unprecedented level of controversy and concern about what the president-elect once referred to as “the cyber”. Amidst all the talk, there is a worrying tendency to bundle cybercrime with other unwelcome activities in cyberspace. Allow me to explain.
As a presidential candidate Mr. Trump talked about the need to make cybersecurity “a major priority for both the government and the private sector” (those words come from the official text of candidate Trump’s speech on cybersecurity, as “prepared for delivery” and archived on the wonderful WayBack Machine). He went on to say:
“Cyber-attacks from foreign governments, especially China, Russia, and North Korea along with non-state terrorist actors and organized criminal groups, constitute one of our most critical national security concerns.” [emphasis added]
Unfortunately, while this sounds good, it is not entirely accurate: the three different threats enumerated in that sentence are not one and the same thing, and not all cybercrimes are a matter of national security. To be clear, Mr. Trump is not alone in his conflation of these things, we hear it a lot when government contractors, especially defense contractors, talk about cybersecurity. I agree that all three threats are real, but the response to each needs to be very different, and fighting cybercrime as though it is a matter of national defense makes no sense.
To Mr. Trump’s credit, some of those prepared remarks do specifically call for a law enforcement pursuit of criminals in addition to a militaristic response to terrorist and nation state activity in cyberspace. Unfortunately, other remarks return to conflated thinking, lapsing into dogma with which a lot of security professionals would disagree, such as: “We should turn cyber warfare into one of our greatest weapons against the terrorists.” Frankly, I don’t think that is a good idea, and I’d be happy to explain to the new administration why I think that.

20.12.16

IoT attacks: 10 things you need to know

By Editor
Something major happened in October. Internet of Things (IoT) devices were exploited by cybercriminals and turned into a rogue and malevolent army. A series of distributed denial of service (DDoS) attacks affected websites connected to the cloud-based internet performance management company Dyn, including Amazon, Twitter, Reddit, Spotify and PayPal. It’s possibly a watershed moment.

“We have been shown just how vulnerable the internet – which is now an integral part of the critical infrastructure of the US and many other countries – is too disruptive abuse conducted at scale, by persons whose identity is not immediately ascertainable,” ESET’s Stephen Cobb concluded in his analysis of the event.
Now, with Christmas upon us and the increasingly volatile world markets never more dependent upon online transactions, everyone is desperate to stop repeat attacks.

1.     Wait, what’s IoT?
Definitions vary, but the ‘Internet of Things’ refers to ‘smart devices’ like refrigerators that will tell us when we’re out of milk. But also, many smaller less outlandishly smart objects, such thermostats, coffee machines and cars. These gadgets are embedded with electronics, software, sensors and network connectivity so that they can connect to the internet.

2.     So, what’s the problem?
Anything that connects to the internet, even if it doesn’t contain your medical records, poses a risk. The October 21st attacks were made possible by the large number of unsecured internet-connected digital devices, such as home routers and surveillance cameras.
The attackers infected thousands of them with malicious code to form a botnet. Now, this is not a sophisticated means of attack, but there is strength in numbers. They can be used to swamp targeted servers, especially if they march in all at once.

3.     How did the attacks actually happen?
Remember that bit in the instruction manual where it told you to change the default password? Well, if you didn’t, then chances are your IoT device could spring to life as a cyber zombie. The DDoS-attackers know the default passwords for many IoT devices and used them to get in. It’s a bit like leaving your house keys under a flowerpot for anyone to find.
Anyone putting an IoT router, camera, TV or even refrigerator online without first changing the default password is enabling attacks of this type. Recent ESET research suggests at least 15% of home routers are unsecured – that’s an estimated 105 million potentially rogue routers.

4.     Wait, do I need IoT devices?
Some people dismiss IoT devices as gimmicky; others believe that in a few years we’ll all have smart cupboards that tell us what we can have for dinner. But there are numerous discernible benefits, such as the sensors in smartphones and smartwatches that provide real information about our health. Or the “blackbox” telematics in cars which can prove how safe or unsafe our driving is and thus help with insurance claims.

5.     So, this is a new problem?
Nope. The possibility for exploitation of this kind has been common knowledge since, well, the dawn of IoTs. But, we didn’t realize quite how vulnerable we were until October. Malicious code infecting routers is nothing new, as this ESET research clearly demonstrates.
The advice to change the default passwords on these devices is definitely not new and has been reiterated many times. Yet you can lead a horse to water, but there’s no making them drink. Two years ago WeLiveSecurity reported on the existence of 73,000 security cameras with default passwords.

6.     How far does it go back?
The IoT actually goes way back as far as the 1980s. But in a slightly Back to the Future iteration. Researchers at Carnegie Mellon University first came up with an internet-connected Coke vending machine in 1982.

7.     Surely, internet giants have the power to stop this?
Sure they do. But that doesn’t mean some of them haven’t left gaping holes available for malicious exploitation. At the Black Hat security conference last year, security research students from University of Central Florida demonstrated how they could compromise Google’s Nest thermostat within 15 seconds.
Daniel Buentello, one of the team members, was quoted as saying in 2014: “This is a computer that the user can’t put an antivirus on. Worse yet, there’s a secret backdoor that a bad person could use and stay there forever. It’s a literal fly on the wall.”

8.     What can I personally do to stop this?
Look at IoT devices like any other computer. Immediately change the default password and check regularly for security patches, and always use the HTTPS interface when possible. When you’re not using the device, turn it off. If the device has other connection protocols that are not in use, disable them.
These things might sound simple, but you’d be alarmed by how easy it is to opt for convenience over good sense. Only half of respondents to this ESET survey indicated that they’d changed their router passwords.

9.     What can companies do to stop this?
You might think, ‘What’s the point? If an attacker can breach Amazon, then what hope does my firm have?’ Well, don’t give up hope. Organizations can defend against DDoS attacks in a range of ways including boosting the infrastructure of their networks and ensuring complete visibility of the traffic entering or exiting their networks. This can help detect DDoS attacks, while ensuring they’ve sufficient DDoS mitigation capacity and capabilities. Finally, have in place a DDoS defense plan, which is kept updated and is rehearsed on a regular basis.
Think of it like a fire drill for your network. Also, watch out for Telnet servers. These are the dinosaurs of the digital universe and as such should be extinct, because they’re so easily exploited. Never connect one to a public-facing device.

10.   But … and this is a big but …
The tech might have been around for a while but these kinds of attacks are brand new. As such there are no agreed best practice protection methods for stopping an IoT from turning against you.
At least, not ones that the experts can agree on. Some believe you should apply a firewall in your home or business and to regulate control of them to authorized users. However, another method would be to apply a certification approach: allowing only users with the right security certificate to control the devices and automatically barring any unauthorized profiles. If in doubt, unplug it.


15.12.16

De Kerstman heeft zijn supply chain geoptimaliseerd, maar worstelt nu met de complexe douaneprocessen en hoge invoerrechten

Brief van de Kerstman: problemen met de douane

De Kerstman kijkt nerveus rond in zijn moderne kantoor in de Rotterdamse haven. Zijn elfjes worstelen met de groeiende stapels papier op hun bureaus. Nog een paar weken tot Kerst en hij staat op het randje van een burn-out. Hij vervloekt de dag dat hij adviesbureau McChristmas in de arm heeft genomen. Het is allemaal hun schuld.
“Verplaats het logistieke centrum van de Noordpool naar gebieden dichter bij klanten”, luidde hun advies. “En bespaar op productiekosten door outsourcing aan de goedkoopste producenten in de wereld.” Het klonk als een goed advies, omdat een tekort aan mankracht op de Noordpool problemen dreigde op te leveren.

Geen oog voor details
Maar invoerrechten, exportcontroles, ingewikkelde douaneprocedures en onaangekondigde inspecties – al dat gedoe had het adviesbureau niet voorzien. In ieder geval niet in de managementsamenvatting die hij had gelezen. Had hij toch het hele rapport moeten doornemen? Hoe dan ook, de schade was al geschied.
Voorgaande jaren had hij zich nooit om dit soort zaken hoeven te bekommeren. Hij kon elke ochtend uitslapen en hoefde alleen zijn elfjes aan te sporen. Een paar dagen hard werken eind december was eigenlijk het enige dat hij hoefde te doen. Douaneproblematiek speelde nooit een rol, want de Noordpool lag toch in internationale wateren? Maar sinds de optimalisatie van de supply chain afgelopen zomer zit hij alleen nog maar op kantoor in een poging alle administratieve ellende op te lossen.

Zelfs de Kerstman zoekt online hulp
Zo kan het niet langer doorgaan, denkt de Kerstman terwijl een zachte ‘ping’ verraadt dat hij een nieuw bericht heeft ontvangen. Antwoord van AEB. Eindelijk. Toen hij online naar hulp zocht voor zijn problemen, was hij op deze softwareleverancier gestuit. Het leidde tot een kort mailtje met vragen over digitalisering en automatisering van douaneprocessen.
Zouden ze al zijn vragen hebben beantwoord? De Kerstman bekijkt de mail en doorzoekt de vele bijlagen. Hij ontdekt een document met antwoorden op elke vraag die hij had gesteld. Hij begint meteen met lezen.
  
Beste Kerstman,
Allereerst dank voor uw interesse. We geven normaal gesproken geen advies over douanezaken, maar hebben natuurlijk wel alle kennis in huis en maken voor u graag een uitzondering. Hieronder vindt u onze antwoorden op uw vragen.

1.            Ik heb mijn productie uitbesteed aan producenten uit de hele wereld. Omdat het allemaal om cadeaus gaat, hoef ik toch geen invoerrechten te betalen? 
Helaas zien de Nederlandse en Europese douaneautoriteiten dat anders, zoals u al heeft gemerkt. Al die producenten zijn nu toeleveranciers en waarschijnlijk beschouwen de autoriteiten u – mede gezien de omvang van uw activiteiten – als zakenman. Natuurlijk kunt u hen uitleggen dat u de Kerstman bent en een speciale behandeling verdient, maar daarvoor bestaat geen juridische basis.

2.            Ik ontvang alle zendingen vanuit de hele wereld hier in Rotterdam en mijn team moet alles inklaren. Op Kerstavond gaat vervolgens het merendeel weer terug de grens over naar kinderen over de hele wereld. Wat omslachtig. Kan dat niet simpeler?
Natuurlijk kan dat simpeler. Probeer een entrepotvergunning te krijgen voor het logistieke centrum in Rotterdam. Alle cadeaus die daar liggen, hoeven alleen te worden ingeklaard als ze het entrepot verlaten. Als ze echter meteen weer de EU verlaten, is dat dus niet nodig. Helaas is de tijd om nu nog een entrepotvergunning te regelen wel wat kort.

3.            Als ik mijn logistiek centrum verplaats naar een land buiten de EU en de cadeaus daarvandaan rechtstreeks lever aan de kinderen in de EU – dan hoef ik toch geen invoerrechten te betalen?

Helaas. Wij vermoeden dat de douaneautoriteiten u zullen behandelen als een e-commerce bedrijf. Dat betekent dat u gewoon invoerrechten moet betalen. Maar goederen met een waarde minder dan € 22 zijn tot 2021 vrij van invoerrechten en omzetbelasting. Maar de vraag is of uw cadeaus – gezien de verlanglijsten van vandaag de dag – zo goedkoop zijn. Bovendien geldt deze uitzondering  niet voor alcohol en tabak. Als de producten een waarde hebben tussen € 22 en € 150 hoeft u geen invoerrechten, maar wel omzetbelasting te betalen.

4.            Deze douanerechten vormen een flinke aanslag op mijn portemonnee. Kunnen we de lasten wat verlichten?

U kunt gebruik maken van handelsverdragen. De EU heeft meer dan veertig handelsverdragen gesloten met honderd landen over de hele wereld. Als u goederen uit deze landen importeert, kunt u daarvan profiteren. U moet dan wel een certificaat van oorsprong kunnen laten zien, maar dat is gezien de omvang van uw stromen het proberen waard. Overigens geldt het omgekeerde ook; als u goederen in de EU produceert, levert dat voordeel op bij export naar landen waarmee de EU bilaterale overeenkomsten heeft gesloten.

5.            Als ik voor mijn kerstleveringen van land naar land reis, moet ik dan voor mijn rendieren en slee ook  overal invoerrechten betalen?

Nee, niet als u tenminste al uw middelen weer compleet mee terug naar Rotterdam neemt. U kunt een Carnet ATA gebruiken voor het transport van professionele hulpmiddelen over de grenzen van de deelnemende landen. Voor uw rendieren moet u echter ook rekening houden met de veterinaire regelgeving in de verschillende landen. Wij zijn geen experts op dit vlak, maar als u uw rendieren maandenlang in quarantaine moet stoppen, kunt u overwegen lokale dieren te gebruiken.

6.            En hoe zit het met exportcontrole? Ga me niet vertellen dat ik daadwerkelijk alle kinderen moet screenen tegen sanctielijsten. 

Zo ver wij weten, screent u alle kinderen toch al op ondeugendheid? Maar inderdaad, er  bestaan veel lijsten voor exportcontrole. Dat hoeft niet tot vertraging te leiden. Er zijn IT-oplossingen die op de achtergrond draaien en alle adressen automatisch screenen.

7.            En mag ik cadeaus geven aan kinderen uit landen die onder embargo staan?

Jazeker. De meeste beperkingen bestaan alleen voor wapens en voor goederen voor tweeërlei gebruik. Ze gelden niet voor humanitaire goederen of voor goederen die de dagelijkse behoefte vervullen. Maar u moet wel scherp blijven. Als een kind uit Noord-Korea vraagt om een raketwerper, moeten bij u de alarmbellen rinkelen. Daarnaast is het goed om scheikundedozen en computeraccessoires te controleren op verboden artikelen. Ook voor het versturen van lekkernijen van de EU naar Rusland gelden beperkingen. Houd de recepten van uw kerstkransjes en banketstaven dus bij de hand en pas ze aan als dat nodig is.
Tot slot: veel succes tijdens deze Kerst. We helpen u graag om uw import- en exportprocessen te optimaliseren, maar we begrijpen het als u zich eerst wilt concentreren op de aankomende leveringen.

Fijne Kerstdagen van uw AEB-team

14.12.16

Teenager’s phone confiscated for TalkTalk cyberattack offenses


A 17-year-old who pleaded guilty to offenses relating to 2015’s TalkTalk cyberattack has had his iPhone confiscated and been sentenced to a 12-month rehabilitation order.
The teenager also had his laptop and hard drive taken away, an order that was decided by Norwich Youth Court in the UK.
The sentence, made on December 13th, followed a hearing into the data breach, where the boy owned up to his transgression and told magistrates: “I was just showing off to my mates”.
“Your IT skills will always be there – just use them legally in the future.”
Speaking to the youngster, who cannot be named because of his age, Jean Bonnick, chairman of the bench chairman, said: “Your IT skills will always be there – just use them legally in the future.”
The attack, which happened on October 21st last year, cost the telecom group £42 million.
The outcome saw personal data of over 150,000 customers accessed. Of this, 15,000 people had their financial information compromised.
The boy was charged with seven offenses, two of which were related to the TalkTalk cyberattack.
Investigators also found that he had been targeting other websites, including those belonging to Cambridge University and Manchester University.
Speaking to the court last month, he said of his crimes: “It was a passion – not anymore. I won’t let it happen again. I have grown up.”
The age of the cybercriminal highlights how young fraudsters can be. Statistics released by the UK’s National Crime Agency earlier in the year showed that the average cybercriminal is now just 17, compared to in 2015 when it was 24.
Speaking after the attack in 2015, TalkTalk’s CEO, Dido Harding, described cybercrime as “the crime of our generation”.

13.12.16

ESET renforce la protection devant la croissance mondiale du ransomware

Le nouvel ESET Ransomware Shield ajoute des couches de protection supplémentaires à ses produits HOME afin de contrôler activement et de bloquer les menaces
ESET renforce ses défenses contre le ransomware et  ajoute Ransomware Shield, une couche de protection supplémentaire aux technologies de protection existantes (Cloud Malware Protection System, Network Attack Protection and DNA Detections). La fonctionnalité est disponible dès maintenant pour les produits de sécurité ESET HOME pour le système d’exploitation Windows.
La fonctionnalité Ransomware Shield contrôle et évalue toutes les applications exécutées en utilisant l’heuristique comportementale et bloque activement tous les comportements qui ressemblent à du ransomeware. En outre, Ransomeware Shield peut également bloquer des modifications aux fichiers existants (c’est-à-dire leur cryptage).    
Ransomeware Shield est activé par défaut et ne demande aucune intervention de l’utilisateur jusqu’au moment d’une détection. A ce moment, le système demande à l’utilisateur s’il approuve ou refuse une action de blocage.
Le ransomeware est un type de malware particulier qui cible les fichiers des utilisateurs. Le type le plus courant, filecorders, crypte les données et demande une rançon afin de pouvoir y accéder à nouveau. Les principaux vecteurs d’attaque sont les pièces jointes aux mails et les kits d’exploitation.
Vous en saurez plus au sujet de cette fonctionnalité, la nouvelle gamme de produits ESET HOME pour Windows consumer portfolio for Windows , ou les menaces qui nous guettent WeLiveSecurity.com.